On 24/04/2018 21:35, Fredrik Korsbäck wrote:

> TLDR; So it seems that AS10297 (some small hostingprovider in the US) 
> suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers 
> on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some 
> kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
>
> I did digging in my own logs and played it through BGP-play - seems like it 
> was in fact only Hurricane Electric (6939)
> that actually propagated this prefix to the Internet. Which makes sense since 
> we have seen them being part of the
> problem in almost all recent hijacks.

In addition to HE there was AS19151 -WV Fiber that accepted the /24s,
but based on BGPlay (attached) it seems that the main culprit was HE
that propagated it onward.

-Hank

Reply via email to